Secrets/Mystery World

New Iran-Linked Hacker Group ‘Cavern Manticore’ Targets Israeli Government via IT Supply Chain : Report

New Iran-Linked Hacker Group ‘Cavern Manticore’ Targets Israeli Government via IT Supply Chain : Report

Researchers identify a new Iran-linked cyber espionage group using a modular malware framework to target Israeli government and IT organizations through trusted service providers.

 

Researchers at Check Point Research (CPR) have identified a new Iran-linked cyber threat group named "Cavern Manticore", which has been conducting espionage operations against Israeli government agencies and information technology organizations. According to the company's latest research, the group has been active since early 2026 and is primarily focused on cyber intelligence gathering rather than destructive attacks.

The report states that Cavern Manticore has technical overlaps with other Iranian threat groups linked to Iran's Ministry of Intelligence and Security (MOIS), including MuddyWater and Lyceum. Researchers say the group's operations mainly target Israeli government and IT sectors, with a strong emphasis on exploiting trusted IT service providers to gain access to their intended victims.

 

IT Supply Chain Used as an Entry Point

According to Check Point Research, Cavern Manticore frequently gains initial access by abusing existing Remote Monitoring and Management (RMM) software already deployed within targeted organizations. Instead of directly attacking government networks, the group compromises IT service providers and then uses those trusted connections to reach government systems.

Researchers documented cases in which the attackers moved through multiple organizations before reaching their final targets. In several intrusions, the attackers first compromised one IT provider, then moved to another service provider before accessing a government environment.

One observed incident involved the misuse of a legitimate software deployment feature in SysAid, an IT service management platform. Researchers emphasized that SysAid itself was not compromised, and no SysAid vulnerability was exploited. Instead, the attackers had already gained access to the victim's environment and abused an existing software deployment capability to install malware on another system.

The deployment process included a compromised version of the legitimate disk usage utility WinDirStat, which was used to load malicious code through a technique known as DLL side-loading.

 

Modular "Cavern" Framework

At the center of the campaign is a modular command-and-control (C2) framework called Cavern.

According to Check Point, every observed component of the framework is built using Microsoft's .NET platform but compiled into different output formats. Researchers identified three compilation methods:

  • Standard .NET Framework (IL-only)
  • Mixed-Mode C++/CLI
  • Native AOT

The report says this uncommon combination makes malware analysis significantly more difficult because investigators must use different analysis tools and metadata reconstruction techniques depending on the sample.

The framework consists of two main components:

  • Cavern Agent, which acts as a persistent backdoor and manages communication with attacker-controlled servers.
  • Cavern Modules, which are downloaded only when required to perform specific tasks.

Researchers said each module runs inside a separate AppDomain, allowing it to be removed from memory after completing its task, reducing forensic evidence on compromised systems.

 

Wide Range of Post-Exploitation Capabilities

Once inside a network, Cavern Manticore can deploy additional modules that expand its access and intelligence-gathering capabilities.

According to the report, these modules allow attackers to:

  • Browse local file systems.
  • Access SQL databases.
  • Perform LDAP and Active Directory queries.
  • Conduct network reconnaissance.
  • Establish SOCKS5 and WebSocket tunnels for lateral movement within compromised networks.

Researchers also observed the attackers adapting to restricted environments by using legitimate Windows features when standard file transfer methods were unavailable. These included browser-based remote desktop technologies and remote printing functions to move sensitive information outside victim networks.

 

Low Detection Rates

Check Point said many of the observed malware samples recorded zero or very low detection rates on VirusTotal, highlighting the framework's ability to avoid traditional malware detection.

Rather than relying on heavy code obfuscation, the malware uses different .NET compilation formats as an anti-analysis technique, making reverse engineering more complex while remaining difficult for security tools to classify.

 

Links to Other Iranian Threat Groups

Based on infrastructure usage, technical characteristics, and targeting patterns, Check Point Research assesses that Cavern Manticore shares technical similarities with other Iranian MOIS-linked cyber groups, including MuddyWater and Lyceum.

The researchers said the operation reflects an ongoing focus on cyber espionage targeting Israeli government and technology organizations through trusted third-party IT providers.

 

Security Implications

According to Check Point, the campaign highlights the importance of protecting IT supply chains and closely monitoring the use of remote management software within enterprise environments.

The researchers recommend organizations strengthen monitoring of Remote Monitoring and Management (RMM) tools, review software deployment processes, and improve segmentation between service providers and sensitive internal systems to reduce the risk of similar supply chain attacks.

Check Point Research said it continues to monitor Cavern Manticore's activity and has published technical indicators of compromise (IOCs) to help organizations identify and respond to related threats.

 
 
Source: checkpoint
 

——— End of Article ———

About the Author

Aditya Kumar is a Defense & Geopolitics Analyst covering military developments, missile systems, naval strategy, and global defense affairs.